Re: Actual BIND error - Patching OpenBSD 4.3 named ?
On Jul 9, 2008, at 12:19 PM, Ted Unangst wrote: n front). something like, nat on egress proto udp from (self) to any port 53 -> (self) I don't think this actually accomplishes much. It still lets poisoned replies back in on the previous port number. But does it allow a poisoned reply from the spoofed address? As I understand the threat, based on the limited information: 1. Attacker sends valid user a www.badman.com link to click on 2. Resolver queries to badman.com NS from port 5 for www.badman.com, which is a CNAME to www.ebay.com 3. New query for www.ebay.com to ebay.com NS originates from udp port 54321 4. A spoofed UDP packet from the badman.com NS using 5 shouldn't match the ebay query, and the poisoning shouldn't work. If I'm missing something, I welcome any corrections. Thanks, Steve
Re: Actual BIND error - Patching OpenBSD 4.3 named ?
On Jul 9, 2008, at 4:53 AM, Rod Whitworth wrote: # tcpdump -nettti rl0 dst port 53 tcpdump: listening on rl0, link-type EN10MB Jul 09 19:48:27.786683 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 70: 192.168.80.4.16284 > 192.168.80.1.53: 57120+ A? pps.com.au. (28) Jul 09 19:48:43.690332 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 67: 192.168.80.4.1356 > 192.168.80.1.53: 32536+ A? ibm.com. (25) Jul 09 19:49:11.013223 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 69: 192.168.80.4.14540 > 192.168.80.1.53: 29420+ A? intel.com. (27) # uname -a OpenBSD master.witworx.com 4.3 GENERIC#698 i386 Guess again. Was that so hard to try? I get a different result using the external interface of my caching name server, and mine looks vulnerable. frank# tcpdump -nettti em1 dst port 53 tcpdump: listening on em1, link-type EN10MB Jul 09 05:54:23.291421 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 82: xx.xx.9.35505 > 205.177.95.83.53: 27972 A? a1397.g.akamaitech.net. (40) Jul 09 05:54:25.814869 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 86: xx.xx.95.9.35505 > 75.126.144.219.53: 58999% [1au] A? www.virg9lio.it. (44) Jul 09 05:54:25.862953 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 87: xx.xx.95.9.35505 > 75.126.144.219.53: 2869% [1au] A? www.virgbilio.it. (45) Jul 09 05:54:35.864421 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 87: xx.xx.95.9.35505 > 75.126.217.184.53: 43066% [1au] A? www.virgbilio.it. (45) Jul 09 05:54:42.188507 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 102: xx.xx.95.9.35505 > 216.239.36.10.53: 20026% [1au] A? safebrowsing.clients.google.com. (60) Jul 09 05:54:42.214185 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 91: xx.xx.95.9.35505 > 64.233.167.9.53: 29212% [1au] A? clients.l.google.com. (49) Jul 09 05:54:42.347093 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 85: xx.xx.95.9.35505 > 198.105.192.254.53: 9616% [1au] A? log.wip.go.com. (43) Jul 09 05:54:42.678103 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 96: xx.xx.95.9.35505 > 64.233.167.9.53: 17632% [1au] A? static.cache.l.google.com. (54) frank# uname -a OpenBSD frank.placeholder.com 4.3 GENERIC#698 i386
Re: need a machine for an itanium port
I just sent a $100 donation via the orders page, for itanium...or whatever. Paul de Weerd wrote: On Fri, Jun 08, 2007 at 12:42:15PM -0600, Diana Eichert wrote: | On Fri, 8 Jun 2007, Theo de Raadt wrote: | | >>anybody showed interest in suporting your Itanium request? | > | >From what I know, I think dlg has not received any real offers | >yet. | | Sad, well I'll throw US$100 into the mix if someone wants to co-ordinate | it. I don't have any use for Itanium, but I do know that dlg@ has done | some great work, so I might as well support him in something he wants to | do. | | Anyone else? I'll match your $100, Diana. Paul 'WEiRD' de Weerd -- [<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: spamd question
Martin wrote: Can (or does) spamd look at the From:, do a MX/A record dns lookup and compare. it to the sender IP to see if it's valid during the SMTP transaction ? Assuming you're talking about spamd in greylisting mode, here's your answer from spamd (8): spamd will use the db file in /var/db/spamd to track these non-blacklisted connections to spamd by connecting IP address, envelope-from, and envelope-to, or "tuple" for short. spamdb does nothing more than take the tuple it's given, and then compare it to a subsequent connection. If a connection is made using the same tuple, after a specified period of time, then the IP address is added to the spamd-white table. There are no lookups of any kind, which is part of the reason spamd remains lightweight and efficient. But there are other reasons why your suggestion is not a good one. (I note if you put in a spamtrap email address it will do a straight IP block) Yes, your answer is once more in the man page: When a host that is currently greylisted attempts to send mail to a spamtrap address, it is blacklisted for 24 hours by adding the host to the spamd blacklist spamd-greytrap. This is straightforward, since the To: address is part of the tuple that spamd is already assembling. e.g. Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 11000 invoked from network); 17 Jan 2007 17:19:49 - Received: from host194.skytechinc.com (HELO mail.skytechinc.com) (63.111.223.194) by felix.chaossolutions.org with ESMTP; 17 Jan 2007 17:19:49 - Received: from User ([86.127.117.209]) by mail.skytechinc.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 16 Jan 2007 17:51:43 -0500 Reply-To: <[EMAIL PROTECTED]> From: "Town North Bank"<[EMAIL PROTECTED]> Subject: Notification from North Town BANK ! Date: Wed, 17 Jan 2007 00:51:46 +0200 dig mx tnnb.com ;; ADDITIONAL SECTION: mx1.tnnb.com. 3600IN A 208.217.213.106 So obviously the IP 63.111.223.194 does not belong to a tnnb.com mail server and can be blacklisted/tarpitted. Is it that obvious? Let's check a large company: $ host -t mx hormel.com hormel.com mail is handled by 200 hormel.com.mail6.psmtp.com. hormel.com mail is handled by 300 hormel.com.mail7.psmtp.com. hormel.com mail is handled by 400 hormel.com.mail8.psmtp.com. hormel.com mail is handled by 100 hormel.com.mail5.psmtp.com. Hormel uses Postini for all their incoming email, for spam/virus protection, and so an MX lookup does not tell you where their email originates. How much code would you add to spamd, and still not have a workable solution? Hormel is just an example I pulled from Postini's customer page. There are many, many companies out there that outsource their incoming email for virus/spam/compliance reasons. It is one of the headaches I deal with regularly, when their outgoing mail servers ignore the 451 message, and instead try 5-6 times in quick succession, then report failure (Symantec AV Gateway for Exchange, I'm looking in your general direction). Of course, you may want certain IP ranges whitelisted if they are important to you. You might want to allow/whitelist a specific, or a number of email addresses from an IP but greylist/blacklist the rest depending on your requirements. No. I don't want spamd to greylist each unique address that comes from a host. Once a mail server has been whitelisted, I accept all mail from that server. Part of the confusion here seems to be that you think spamd cares about DNS. It doesn't. Can some of the above be discussed/implemented in spamd? Sorry, I don't program, just do some light scripting, but if I can see obvious SPAM's from the headers and a dns MX/A lookup, I would hope that spamd could be extended with options to catch and tarpit these people/servers/viruses etc. It's not obvious, and that's not what spamd does. You could certainly configure your mail server to do strict checking, and only accept mail from IPs with valid MX records (I would never do such a thing myself, but I'm sure it can be done). Steve
Re: Error with 002_openssl.patch
On Nov 11, 2006, at 10:47 AM, Federico Giannici wrote: No, I'm SURE I executed ALL of them, including "make includes"! In fact, it is in the steps I wrote. And I repeated it a couple of times. There must be something else wrong... I happened to have a freshly-upgraded 4.0 box on hand here, and I just cleanly applied the 002 patch to -release source, and successfully built and installed it. Whatever your problem is, it is unique to your system. As others have suggested, mixing -stable and -release code is simply a bad idea, and it is even worse if kernel and userland don't match. Your best bet is to start over from a fresh install of 4.0, and then choose either the stable branch or the patch releases to stay up-to- date. If you insist on mixing things as you have, be prepared to fix the problems yourself. Steve
Re: Spamd - whitelist of mis-behaving SMTP server POOLS
On Oct 20, 2006, at 8:42 AM, Will H. Backman wrote: Steve Williams wrote: Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? I have been running spamd for several years now, and have found that it works quite well for my company mail server, which receives about 5 emails per day. That said, I have had to maintain a list of misbehaving mailservers which bypass spamd. The following list started as the list from greylisting.org, and contains some additions of my own. For the most part, though, I never have to intervene, and I use the default greylist settings. Steve 12.4.226.0/28 # console energy 12.5.136.141 # Southwest Airlines (unique sender, no retry) 12.5.136.142 # Southwest Airlines (unique sender, no retry) 12.107.209.244 # kernel.org mailing lists (high traffic, unique sender per mail) 12.107.209.250 # sourceware.org mailing lists (high traffic, unique sender per mail) 12.129.227.0/24 # gibsondunn.com 38.119.108.120 # best places to work survey 38.119.108.121 # best places to work survey 63.82.37.110 # SLmail 63.172.244.133 # kenexa.com 63.251.135.74 #constant contact 63.251.135.75 #constant contact 63.251.135.94 #constant contact 63.251.135.95 #constant contact 63.251.135.96 #constant contact 63.251.135.97 #constant contact 63.251.135.98 #constant contact 63.251.135.103 #constant contact 63.251.135.107 #constant contact 63.251.135.109 #constant contact 63.251.135.114 #constant contact 63.251.135.115 #constant contact 64.7.153.18 # sentex.ca (common pool) 64.12.137.0/24 # AOL (common pool) - http://postmaster.aol.com/ servers/imo.html 64.12.138.0/24 # AOL (common pool) 64.95.46.224/27 # sothebys realty 64.95.77.162 # constant contact 64.95.77.163 # constant contact 64.95.77.164 # constant contact 64.95.77.166 # constant contact 64.95.77.167 # constant contact 64.95.77.168 # constant contact 64.124.204.39/32 # moveon.org (unique sender per attempt) 64.125.132.254/32 # collab.net (unique sender per attempt) 64.202.165.0/24 # 66.100.210.82 # Groupwise? 66.135.209.0/24 # Ebay (for time critical alerts) 66.135.197.0/24 # Ebay (common pool) 66.150.191.0/24 # gibsondunn.com 66.151.184.35 # constant contact 66.151.184.36 # constant contact 66.151.184.37 # constant contact 66.151.184.38 # constant contact 66.151.234.150 # constant contact 66.151.234.151 # constant contact 66.151.234.152 # constant contact 66.151.234.153 # constant contact 66.151.234.154 # constant contact 66.249.64.0/19 # Google 66.162.216.166 # Groupwise? 66.206.22.82 # PLEXOR 66.206.22.83 # PLEXOR 66.206.22.84 # PLEXOR 66.206.22.85 # PLEXOR 66.218.66.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.67.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.69.0/24 # Yahoo Groups servers (common pool, no retry) 68.142.192.0/18 # Yahoo 68.160.78.224/28 69.214.162.192/26 74.8.36.5 # arnoldmagnetics 74.8.36.7 # arnoldmagnetics 192.80.128.0/18 # thomson financial 195.224.48.0/24 # thomaspreston.co.uk 203.196.189.112/28 # kenexa 204.139.85.180 # ahss.org 204.139.85.181 # ahss.org 204.139.85.182 # ahss.org 206.16.56.0/24 # gibsondunn.com 207.67.8.0/24 # Milwaukee Bucks 207.170.16.74 # boelter.com 207.170.16.75 # boelter.com 207.241.31.46 # Goldberg Kohn 209.120.244.0/25 # kenexa 216.163.76.80/28 # Neorx.com
Re: pf/spamd issue: single ip "drowns" in big blacklist blocks - Or, how to create a fastlane for whitelisted hosts?
On Sep 28, 2006, at 1:39 AM, Rickard Borgmdster wrote: If that is the case, it's terrific :-) But it still doesn't take care of the "fastlane", so that whitelisted host doesn't have to go trough the greylist process. Or does it? That's because the "fastlane" is a separate issue. If you want a specific host to avoid the greylisting process, as well as a larger blacklist entry, use the spamdb (8) command to add a whitelist entry for it. The whitelist entry in spamd.conf will ensure that your host doesn't go into the blacklist table, and manually whitelisting it with spamdb will bypass the greylisting process. Incidentally, if you want to set up a list of networks that never hit spamd, you can do that in pf. The following snippet comes from my pf.conf, with the mail server running on the same box. The "nogreylist" file contains a list of networks that use mail server farms, which have trouble greylisting because they regularly use different IPs -- a partial list can be found at www.greylisting.org. It also contains mail servers that run Symantec AV Gateway and other clueless software that won't retry when presented with a 451. table persist file "/etc/mail/nogreylist" no rdr on $ext_if proto tcp from to port smtp Steve
Re: pf/spamd issue: single ip "drowns" in big blacklist blocks - Or, how to create a fastlane for whitelisted hosts?
On Sep 27, 2006, at 6:10 PM, Rickard Borgmdster wrote: What I see as the problem here, is that the "blacklisting" occurs before the whitelisting. So that, when a large block such as 31.32.33.0/24 is in and I wish to whitelist 31.32.33.188, that whitelist entry will have no effect. This is solved in spamd, not pf. Have a look at spamd.conf (5) In short, you specify whitelists to be applied in conjunction with certain blacklists. Steve
Re: hearing complaints regarding pre-orders
On Sep 21, 2006, at 2:12 PM, Martin Schrvder wrote: 2006/9/21, L. V. Lammert <[EMAIL PROTECTED]>: Nope, totals are right at the top of the page. + Shipping. When am I told, how much shipping will cost? At least not before I submit my credit card info. When it ships, because you are charged the actual shipping cost, as Bob mentioned earlier in this thread. As long as I can remember, it's always been this way, and I've been buying CDs since 2.5. I'm amazed that anyone is making an issue of it now. Steve
Re: hearing complaints regarding pre-orders
On Sep 21, 2006, at 8:41 AM, Peter wrote: I have seen on two sites a guy complaining about the CD ordering system. Apparently there is no mention of the amount you will actually be paying unless you provide your CC info. This may detract some potential buyers. Huh? The prices are right there on the page in USD. https://https.openbsd.org/cgi-bin/order
Re: openbsd and the money -solutions
James Mackinnon wrote: If you do offer paypal for the stuff above, I will buy more frequently as to do my part to help support the System I trust with my systems/network security. I will send a donation now as well as I can do that VIA paypal (won't be large, but it will be a donation) It's your lucky day. From http://www.openbsd.org/orders.html#cshop Other payment methods: * PayPal: Payments may be sent to [EMAIL PROTECTED] If you know the total, including shipping, like for single CD sets (see mail order costs below or ask us), just place a web order, select payment method "pre-arranged", and put a note in the comments section of the order that payment is being made by PayPal. Pay in either US dollars, Canadian dollars or Euros.
Re: how do I make the history file created by ksh readable?
Bryan Brake wrote: I am taking an "Intro to UNIX" class at school. The teacher has asked that we send him a copy of our .history files to show what steps we used to complete certain assignments. I was able to setup the history in my .profile by reading ksh(1), but after I rebooted and issued a few commands, I looked at the .hist file I created, but it doesn't look the way I expected. Does it have to be a .history file? Way back when I took classes, we used script(1), which has the benefit of a fixed start and end point, as well as providing the screen output of the command results. Example typescript file: Script started on Fri Mar 24 14:05:04 2006 $ echo "howdy" howdy $ exit Script done on Fri Mar 24 14:05:14 2006
Re: T-shirt query.
On Sun, 26 Feb 2006, Edd Barrett ([EMAIL PROTECTED]) wrote: Whilst browsing fosdem 2004 pics, I saw a t-shirt I like. http://saad.docisland.org/pictures/fosdem2004/files/page11-1008-full.html (far left. Dark with small blue puffy logo) Where can you get this tee? It doesnt appear to be on the t-shirts page. That looks like the "Chicks Dig OpenBSD" t-shirt to me. http://www.openbsd.org/tshirts.html#16 Steve
Re: Email problems
On Sun, 23 Oct 2005, Monah Baki ([EMAIL PROTECTED]) wrote: Hi all, Until 4 days ago, I no longer receive email on my server. I thought it was my provider (cox) since they block inbound and outbound smtp. If I telnet from the outside to my server on port 110 & 143, 110 and 143 are POP and IMAP. Email is delivered via SMTP, and so a connection to port 25 is what you're looking for. Since you say outright that Cox blocks inbound and outbound SMTP, I'd say you won't be able to run a mail server on that box. Steve
Re: spamd greylisting and postfix
On Wed, 29 Jun 2005, Roy Morris ([EMAIL PROTECTED]) wrote: Anyone used spamd greylisting with postfix? I was on the greylisting site and postfix but didn't see any configuration examples. It's no different than using spamd with sendmail. Once spamd has whitelisted the IP, email is delivered to your MTA on port 25, whatever that is. Postfix does not need to be aware of spamd at all. Steve
Re: W32 codecs
anyone know what happened to the w32codecs in the ports tree? I'm using 3.7-STABLE and see this: cirque$ cd ./graphics/win32-codecs cirque$ sudo make Password: ===> Checking files for win32-codecs-20050216 all-20050216.tar.bz2 doesn't seem to exist on this system. Looks like the port needs to be updated. The filename currently offered is all-20050412.tar.bz2. It doesn't look like mplayer keeps the older codecs around. http://www1.mplayerhq.hu/MPlayer/releases/codecs Steve
Re: spamd greylisting and server pools
On Tue, 21 Jun 2005, Heinrich Rebehn ([EMAIL PROTECTED]) wrote: Would it be possible to change this behaviour so that the whitelisting is done as soon as the same sender/receiver pair is seen again, ignoring the ip address? This could speed up things a bit. Here is why that idea won't work, using a current output of an address which gets a lot of spam (changed domain, obviously): GREY:24.166.74.197:<[EMAIL PROTECTED]>:<[EMAIL PROTECTED]>:1119344081:1119372881:1119372881:1:0 GREY:24.174.188.85:<[EMAIL PROTECTED]>:<[EMAIL PROTECTED]>:1119344053:1119372853:1119372853:1:0 GREY:62.254.134.244:<[EMAIL PROTECTED]>:<[EMAIL PROTECTED]>:1119344024:1119372824:1119372824:1:0 You'll see that whoever runs that botnet is using the same From/To for their spam. spamd would be completely ineffectual if it ignored source IP. I spent several weeks massaging spamd for problems with mailer pools and clueless MTA like Lotus Notes and Symantec AV gateways. It takes work, just like anything else. Steve
Re: Snapshot from 03/June : spamd working ?
Thanks for your help Steve, I think Otto is looking at the *real* problem. You clearly don't understand the real problem. The SBL and XBL are two different lists. Your spamd configuration uses the SBL, and tarpits all hosts that appear on it. Your sendmail configuration uses both the SBL and XBL, and so the XBL hosts which do not appear in the SBL are blocked by sendmail. The two examples you gave are both listed in the XBL, but not the SBL, if you would do the IP lookup at spamhaus.org. Your setup is working fine. Steve
Re: Snapshot from 03/June : spamd working ?
Because those addresses are in the XBL, not the SBL. The XBL is populated by entries from the CBL, which are added when virus-like or worm-like behavior is detected, and entries are removed at the first request. Doesn't really make a whole lot of sense to try to create a static list for it, when the SBL list is only updated twice a day anyway. Of course, you could just go to www.spamhaus.org and read up on how it works. Steve Thanks for the tip Steve, I've just read up on it.. and it seems to suggest that using sbl+xbl is a good thing. What exactly is spamd going to catch then ? spamd will tarpit entries in the SBL, which are (supposed to be) actual spamming operations. The idea behind spamd is to waste the time and resources of spam operations, not simply to reject their mail. If you're only looking to reject mail, then don't use spamd.
Re: Snapshot from 03/June : spamd working ?
FEATURE(`dnsbl',`relays.ordb.org', `Rejected - see http://ordb.org/')dnl FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dnl Jun 17 19:49:29 inetmail sendmail[13126]: ruleset=check_relay, arg1=[210.213.176.247], arg2=127.0.0.4, relay=210.213.176.247.pldt.net [210.213.176.247] (may be forged), reject= 553 5.3.0 Rejected - see http://spamhaus.org/ Jun 17 20:41:26 inetmail sendmail[13390]: ruleset=check_relay, arg1=[61.96.162.88], arg2=127.0.0.4, relay=[61.96.162.88], reject=553 5.3.0 Rejected - see http://spamhaus.org/ So given that both spamd and sendmail are configured to talk to spamhaus, why is openbsd 3.7 spamd not blocking connections from these guys ? Because those addresses are in the XBL, not the SBL. The XBL is populated by entries from the CBL, which are added when virus-like or worm-like behavior is detected, and entries are removed at the first request. Doesn't really make a whole lot of sense to try to create a static list for it, when the SBL list is only updated twice a day anyway. Of course, you could just go to www.spamhaus.org and read up on how it works. Steve
Re: spamd-setup: spamhaus error
On Sat, 11 Jun 2005, Frank Bax ([EMAIL PROTECTED]) wrote: I've been getting this error message since midnight... # /usr/libexec/spamd-setup -d blacklist myblack 2 entries whitelist mywhite 69 entries Getting http://www.openbsd.org/spamd/SBL.cidr.gz spamd-setup: Could not add blacklist spamhaus: Input/output error http://www.openbsd.org/spamd/ I tried original source: http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2 but webpage says openrbl.org domain expired yesterday (June.10). The file is available at http://mirror.bliab.com/sbl/SBL.cidr.bz2
